Search in uioop.blogspot.com

Blog Archive

Wednesday, December 19, 2007

Download Google Map use gMapMaker to creat for my N82

http://forum.mgmaps.com/viewtopic.php?t=1116

I'm happy to announce that gMapMaker, a tool by Damien Debin can now download map tiles in a format supported by MGMaps. You can get latest version 0.5 from http://www.mgmaps.com/cache/gMapMaker-setup.exe, it's a self-extracting zip archive. UPDATE: You need to have .NET Framework v2.0 installed for the program to work.

The program is easy to use and has the functionality of the previous MapTileCacher.pl and MapTileFE.pl scripts. It can only download map tiles from Google for now, but support for other sources will be added soon. To use it, follow these steps:
  1. If you had an older version of gMapMaker before installing v0.5, remove the folder "C:\Documents and Settings\\Local Settings\Application Data\gMapMaker"
  2. Install gMapMaker. When the installation is complete the application should start automatically.
  3. Choose one of the following two:
    1. batch download: Open your browser, navigate to http://www.mgmaps.com/create, select the area you want to download. Click Generate and save the .map file on your computer. Back in gMapMaker, select "MGMaps mode, use a .map file" as the operating mode then click "Go" and select the .map file saved.
    2. single area: Enter the coords, select the zoom level and map type for the area to download. Make sure the cache folder path ends with "MGMapsCache". Make sure you have selected "MGMaps mode, use entered area" as the operating mode. Click "Go".
  4. When the download is ready, you'll find all the map tiles in the selected MGMapsCache folder. Just copy this folder with all its subfolders to your memory card and configure MGMaps to use it. Move the map in MGMaps to the area/zoom level you downloaded map tiles for - use Menu->Go To and enter the coordinates, zoom level and map type.
  5. The application can also use a set of proxies for satellite imagery download in order to avoid having your IP address temp-banned by Google (which happens if you download many satellite tiles in a short time).

Mobile GMaps - Installation for Nokia N95

http://gmaps.freewebspace.com/
Acknowledgements:
Mobile GMaps is copyright © 2005-2007 by Cristian Streng (Thank you very much, your work is fantastic!!)
If there are any issues I will remove this page upon your request.
Forums
The Objectives :

Download and install Mobile Gmaps to your Nokia N95
Download map tiles and configure Mobile Gmaps to use them as "stored maps"

Assumptions:


You have a Nokia N95 (lol, sorry, it had to be said.. :D)
This is the first attempt at installing Mobile Gmaps and stored maps (eg. not previously installed)
You are running Windows XP SP2 as the OS for which you will be executing the perl script and downloading map tiles
The PC you are using to download the map tiles has a native internet connection and does not rely on the use of a proxy
The microSD memory card in your phone has sufficient free space for the stored maps
You know how to establish a connection between your N95 and your PC (bluetooth or USB cable), or
You know how to transfer files to your microSD memory card
You will use the software and process that follows to achieve the desired outcome
You understand english (If not, you've persisted well and are probably attracted by the pretty colours on the page while not understanding a word)

If "no" to any of the above, then it's possible "steps" will fail and this brief instruction will not cater for every alternative software or process. I can only say that the following worked for me and I took the points from the forums that "tripped" other people up. (lol @ the disclaimer of sorts...)

What you will
Need to Download:

N95 Alpha JAD File: mgmaps_n95-1_34_02-signed.jad (Current at the time of writing)
N95 Alpha JAR File: mgmaps_n95-1_34_02.jar (Current at the time of writing)
Perl Script: MapTileCacher.perl (current at the time of writing)
Perl for Windows: ActivePerl version 5.8.8.820
WGET: wget for Windows

Step 1
Installing Mobile GMaps:
Transfer the downloaded .JAD and .JAR files to the microSD memory card temporarily to install. In my example I have a folder called "installs" on the root of my memory card (E: )

Go to File Manager


Select the Memory Card and navigate to the folder you transferred the .JAD and .JAR too. (in my case "Installs"), you will then see the two files.

Ensure you install from the .JAD file and not the .JAR file. (This is crucial!). Check this by selecting "View Details" from the options menu.

When confirmed that you have the .JAD file, click ok and then select to open and continue the install.
Unless you really want to install the app to the phone memory, select the memory card instead and allow the installation to complete.

That completes the installation of Mobile GMaps (Yes, I like old school arcade games... Go Galaga!! :D)
Step 2
Installing Activeperl:
Install the previously downloaded version of Activeperl and accept all installation defaults except where directed.
Accept the license agreement (obviously)
Unless you really feel the need too, don't bother changing the default installation path
Don't display the release notes (we have more cooler things to do... :D)
Step 3
Copying wget:
Copy wget.exe that you previously downloaded, into C:\perl\bin (assuming you installed activeperl in the default location, otherwise change as appropriate.)
Step 4
Downloading Map Tiles:
Create a new folder on your PC (In my case C:\GMaps) and copy the previously downloaded MapTileCacher.perl file to it.
Rename the file extension from .perl to .pl. You should notice the .pl extension becomes associated with Activeperl
Execute perl script:
Double Click the MapTileCacher.pl file in explorer and you should get this window
Map Type:
Choose the map type you require. As in this example, type "GoogleMap" (without the quotation marks) NOTE: The input is case sensitive so do not enter "googlemap" else it will fail
Zoom Level:

For GoogleMap there are 20 zoom levels. Each representing various distances or resolutions, as follows...


Level - Distance
0 = 3000km
1 = 2000km
2 = 1000km
3 = 500km
4 = 200km
5 = 100km
6 = 50km
7 = 30km
8 = 20km
9 = 10km
10 = 3km
11 = 2km
12 = 1km
13 = 500m
14 = 200m
15 = 100m
16 = 50m
17 = 30
18 = 20
19 = 10m

Choose the zoom level from 0 - 20. I personally use level 15 or 16 for street detail and level 9 for main highway (long distances) detail. You also have the ability to get a number of different levels for the same area which allows you to zoom in or out to the levels your memory card has. For the sake of this test, just choose one, say zoom level 15.

Coordinates:
Ok, now you need to define the area for which you want map tiles for. These coordinates are required to be entered in decimal degrees format. I personally recommend using the following tool that helped me considerably. Time for a small deviation...

Go to URL http://www.mapbuilder.net/ and navigate to the part of the world of interest to you. In my case, New Zealand, specifically a city called Lower Hutt in the bottom part of the North Island of New Zealand (Soon to be home of the America's cup and rugby world cup again, I hope! But I digress...)
Zoom in at the appropriate level of detail. Note that the zoom level represented here is what you can expect when the tiles are downloaded, so what you see here might influence your previous decision regarding the zoom level.
Top left:
Click the map at the upper left most part for the area you want. (You may wish to untick the automatically zoom in option. I found it a pain) It will add a red tear drop marker. Note the Latitude and Longitude values on the right hand side. Enter the numbers exactly as they are on the left side of the decimal point and 6 numbers on the right side of the decimal point.
eg. Latitude -41.1904103623711 would be represented as -41.190410
eg. Longitude 174.86303329467773 would be represented as 174.863033


Top Left entered as -41.190410, 174.863033
Bottom right:
Click the map at the lower right most part for the area you want. It will move the red tear drop marker. Note the Latitude and Longitude values on the right hand side. Enter the numbers exactly as they are on the left side of the decimal point and 6 numbers on the right side of the decimal point.
(as in the above example)


Bottom Right entered as -41.236898, 174.925518

Ready to Cache:

At this point the following information will be confirmed:
- Amount of tiles to be cached (in my case 49)
- Map Type (in my case GoogleMap)
- Zoom Level (in my case 15)



Press enter to continue and the download process will begin, as follows...

Download:
Depending on the area and zoom level, wget may take some time to complete, however, at the completion, the script will close and you should have a MGMapsCache folder in the root of the folder you executed the perl script from. In my case C:\GMaps\MGMapsCache\. Inside you should have a folder called GoogleMap_15. The number 15 relates to the zoom level selected so this may be different depending on what you chose.
Advanced:
Before upload the resulting files to your phone, you could potentially re-run the perl script and download map tiles of the same or a different area, at a different zoom level. I have done this as follows...
Top left and bottom right area covers my whole country (New Zealand) which admittedly is not big, but downloaded at a zoom level of 9 (10km) and this is great for when I am travelling the open road and wanting a resolution of towns and cities. I also reset my top left and bottom right to my home city of Wellington (greater Wellington region) at a zoom level of 16.
Now I have two folders in my MGMapsCache folder each representing the two zoom levels and area of coverage. Now when I move outside my main city I need to either zoom out to 10km or download more map tiles.

Step 5:
Transfer to Phone

Ok, so arguably the hard bit is done, now you just have to get it to the phone. For obvious reasons of size, you will be wanting to transfer these to the memory card
Either connect the phone to your PC via USB or bluetooth (for obvious reasons of speed, USB is preferred over bluetooth), or remove the memory card and insert into the PC via a media card reader/adapter. For the following, I am using a USB connection bewteen my N95 and PC.
Plug in your N95 via USB to your PC. If your N95 is set to ask on connection, select the mass storage mode.
Once the phone has been connected to the PC, evidence you can see it in explorer. Copy the folder C:\GMaps\MGMapsCache\ to the root of your memory card, as follows... (In my case, my memory card is labelled "Nokia 2GB" and the PC sees it as H: drive.



Your phone should reference the card as E: drive when it in the phone but when connected to the PC, this could be anything. When complete unplug the phone.
Step 6:
Stored Maps:

Open MGMaps, When asked whether to allow MGMaps to use the network, say no (so we can test our results with assurance)
Obviously as a result of the previous answer there are no map tiles. Go to the menu and select "Settings"
Select Map Browsing, then select/tick Stored Maps. (Also choose Offline Mode if this is desired)
Check the storage Path and ensure it is set to E:. Save the settings and exit the application.
Step 8:
Preferences:
Before you restart MGMaps, you will want to change some application preferences to prevent being nagged on application start
Go to tools and open the Application Manager
Navigate to Mobile GMaps and select "open"
Navigate to "Read user data" and select "Always allowed"
Save options and exit.
Finished:
Now, assuming my instructions are correct and that you have followed them, you should be able to fire up Mobile GMaps and enjoy your downloaded map tiles.
Here is a portion of the area I cached at zoom level 15.
Here is the same point at zoom level 9

Wednesday, December 5, 2007

忘记CMOS密码了怎么办

忘记CMOS密码了怎么办

在DOS命令符状态下输入debug,运行以下任一方法中的命令,重新启动电脑即可清除CMOS密码,下面给出五个清除CMOS密码的命令行。

方法一
-o 70 16
-o 71 16
-q

方法二
-o 70 11
-o 71 ff
-q

方法三
-o 70 10
-o 71 10
-q

方法四
-o 70 23
-o 71 34
-q

方法五
-o 70 10
-o 71 ff
-q

从硬件上也可清除CMOS密码,打开机器进行放电,具体方法是把里面的纽扣电池拆下来,反装上去2-3秒钟,或者查找主板上 是否有跳线可以清除CMOS,找到则直接插一下跳线。 就可以清除掉CMOS密码,当然如果有旧的ISA显卡或网卡,插在主板上,有的主板会自动进入BIOS,此时你只需重新设置新的密码就可。

有部分主板用万能密码也可进入BIOS,但老的机子不太行,有些AMI BIOS的通用密码是AMI,BIOS,PASSWORD,HEWITT RAND,AMISW,AMI_SW,LKWPETER,A.M.I;有些Award BIOS的通用密码是AWARD_SW,j262,HLT,SER,SKY_FOX,BIOSTAR,ALFAROME,lkwpeter,j256, AWARD?SW,LKWPPETER,Syxz,aLLy,589589,589721,awkard。

XP登录自动注销的解决办法

现象:出现windows2000/XP登陆窗口以后,正确输入用户名和密码,出现了“正在加载个人设置……”对话框,但马上又回到了登陆窗口,多次重复,问题依旧。就是在安全模式下,也是不能登陆:用。

解决办法1:用系统盘启动,登录进恢复控制台,copy c:\windows\system32\userinit.exe userinit32.exe 重新启动就可以正常登录了。
原因是MSN FUNNY病毒把正常的userinit.exe给破坏了,并且把注册表里的HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 下的Userinit 键值由C:\WINDOWS\system32\userinit.exe, 改成了C:\WINDOWS\system32\userinit32.exe,
所以COPY以后,WINXP能找到这个登录处理程序从而成功登录。
登录进系统后,重新把这个注册表键值恢复即可。

特别注意:若在域中的计算机,请注意组策略(计算机或用户)是否设置有登录脚本(登录脚本可能包括注销命令)。

解决办法2:用操作系统的安装光盘启动计算机进故障恢复控制台,键入(以 Windows XP为例,如果你用的是 Windows 2000 请将以下命令行中的windows改成winnt):以下#开头的行为注释行

#创建一个临时目录 regTemp
md regtemp
#进入System32\config目录
cd system32
cd config
#复制system32\config 目录下的五个文件到到刚刚创建的临时目录
#五个文件是:default,sam,security,software,system
copy default \windows\regtemp\
copy sam \windows\regtemp\
copy security \windows\regtemp\
copy software \windows\regtemp\
copy system \windows\regtemp\
#然后再一一删除这五个文件。
del default
del sam
del security
del software
del system
#windows\repair目录下复制这五个文件到System32\config目录下:
copy \windows\repair\default
copy \windows\repair\sam
copy \windows\repair\security
copy \windows\repair\software
copy \windows\repair\system
exit

重启后将恢复系统刚安装好时的配置文件,登录系统后。
不过,这样登录进去以后,有许多东西被更改了,有的程序可能用不了。
我试了一下,像word,excel就用不了。
所以,我就把我以前备份的注册表还原了。
还原以后,重启电脑,系统基本正常。
哈哈……

解决办法3:

这是因为%System%\system32\userinit.exe没有给执行,所以系统不能够正常启动!解决方法如下:

新建regfix.reg,内容如下,想办法导入系统:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

重新启动即可!

解决办法4:

使用windows PE系统(推荐用“深山红叶winpe系统工具箱”)引导至光盘系统,运行其中的“强力系统修复 ERD 2003”,设置好系统目录,接着执行他下面的注册表编辑根据,找到[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon],在右边的窗口中将键值:UserInit的值改为:C:\\WINDOWS\\system32\\userinit.exe,重新启动即可!
除了用安装光盘修复外,还可通过局域网联机修复(远程修改注册表):如用pstools里的psexec.exe执行Psexec.exe \\主机名 -u 管理员用户名 -p 密码 c:\windows\regedit -s d:\reg.reg

reg.reg 内容如下:
程序代码
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"UIHost"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6c,00,\
6f,00,67,00,6f,00,6e,00,75,00,69,00,2e,00,65,00,78,00,65,00,00,00

解决办法5:
A、若病机可以网络连接:
1、将正常机下的 系统盘:\windows\system32\userinit.exe 拷贝至病机相应目录下;
2、用正常机的注册编辑器的“文件”菜单下的“连接网络注册表(C)”连接到病机的注册表,检查以下是否存在以下注册表子项(注意是项并非是键值):
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Userinit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Userinit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application\Userinit2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Userinito}}
键[EventMessageFile](类型为“可扩充字符串值”)内容为:%SystemRoot%\System32\userinit.exeH78
键[TypesSupported](类型为“DWORD值”),内容为:00000007#WN
同时检查:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon项下是否存在以下键值:键[Userinit](类型:“字符串值”)内容:“E:\ WINDOWS\system32\userinit.exe,”(注意:没有引号,且串中的E:为您的WINXP所在的盘符)

B、若病机不可网络连接:
用系统盘启动,登录进恢复控制台,copy c:\windows\system32\userinit.exe userinit32.exe 重新启动就可以正常登录了。
原因是MSN FUNNY病毒把正常的userinit.exe给破坏了,并且把注册表里的HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows NT\CurrentVersion\Winlogon 下的Userinit 键值由C:\WINDOWS\system32\userinit.exe, 改成了C:\WINDOWS\system32\userinit32.exe,所以COPY以后,WINXP能找到这个登录处理程序从而成功登录。登录进系统后,重新把这个注册表键值恢复即可。

本文转载自『左岸读书_blog!』
http://dhlmtzx.edudh.net/oblog/
更多精彩内容,欢迎访问左岸读书_blog!

Learn to rebuild the Windows registry from DOS

http://articles.techrepublic.com.com/5100-1035_11-1032874.html

It's amazing how many Windows problems are caused by a faulty registry, from Windows protection errors on startup to Windows hanging on shutdown. Severe problems resulting from severe registry damage may require a fresh install of Windows. But for most annoyances and anomalies caused by registry corruption, a quick rebuild will get you back to a smooth working system.

But what is the registry?
The registry is a database—an amalgam of two special files, SYSTEM.DAT and USER.DAT. These files are written to and edited much like any other database files, and just about any installation program will write to or edit them, although sometimes not as cleanly as we’d like. The "garbage in, garbage out" principle applies here, as well—except in the case of the registry, the "garbage out" seems to manifest itself as one or more Windows problems.

Third-party registry utilities
Before I begin describing the rebuilding process in detail, let me state that I know all about REGCLEAN and other Windows utilities that are supposed to cure registry ills. However, these programs work only if you can boot into Windows. Even then, Windows is using the very registry we're trying to clean. To me, this is like working on your car's engine while you're driving. Instead, we're going to clear things up another way. We're going to do it from DOS.
Warning: The following article involves editing your system registry. Using the Windows Registry Editor incorrectly can cause serious problems requiring the reinstallation of your operating system. TechRepublic does not and will not support problems that arise from editing your registry. Use the Registry Editor and the following directions at your own risk.

Using REGEDIT in DOS
The utility we're going to use is REGEDIT.EXE—the same REGEDIT that we use in Windows also runs as a DOS program. REGEDIT.EXE supports command line arguments that allow us to do a complete registry rebuild, while leaving the "dirt" and empty spaces behind. We'll eliminate the need to repetitively type commands by creating four batch files that you can carry with you and run from a floppy.
For the sake of simplicity, we'll assume that SYSTEM.DAT, USER.DAT, and REGEDIT.EXE reside in the C:\WINDOWS directory.

Step one: Remove the ReadOnly and Hidden attributes from SYSTEM.DAT and USER.DAT
The first step in rebuilding the Windows registry from DOS is to remove the ReadOnly, Hidden, and System attributes from the SYSTEM.DAT and USER.DAT files. A batch file that allows you to toggle the attributes off and on at will (REGATT.BAT) looks like this:

@echo off

if not "%1"=="-" if not "%1"=="+" goto INSTRUCT
attrib %1r %1h %1s c:\windows\system.dat
attrib %1r %1h %1s c:\windows\user.dat
goto ENDIT
:INSTRUCT
echo.
echo You must specify a - or + parameter, as in "%0 +" or "%0 -"
:ENDIT
echo.

To use it, enter the command REGATT - or REGATT + to remove or add the file attributes, respectively.

Here's how REGATT.BAT works:
  • @echo off: Prevents the lines that follow from being displayed on the screen while the commands are being executed. The "@" prevents "echo off" from displaying.
  • if not "%1"=="-" if not "%1"=="+" goto INSTRUCT: This makes the batch file look for one parameter and limits the parameter choices to either "-" or "+." If neither is found, the script jumps to the INSTRUCT portion of the batch file. Note the use of the double "equals" signs (==).
  • attrib %1r %1h %1s c:\windows\system.dat: Runs the "attrib" command on SYSTEM.DAT with either "-r -h -s" or "+r +h +s," depending on the parameter.
  • attrib %1r %1h %1s c:\windows\user.dat: Runs the "attrib" command on USER.DAT the same as it does for SYSTEM.DAT.
  • goto ENDIT: Jumps over the INSTRUCT statement since all went well.
  • :INSTRUCT: Label that identifies this portion of the batch file.
  • echo.–: Prints a blank line on the screen. Note that there is no space between "echo" and "."
  • echo You must specify a - or + parameter, as in "%0 +" or "%0 -": Instructions for using the batch file. The %0 is a variable that is automatically replaced by DOS with the name of the batch file you typed on the command line. If you typed regatt in lower case, the line will read "You must specify a - or + parameter, as in regatt + or regatt -." If you change the name of the batch file to "wom.bat" and type WOM in upper case, it will read "You must specify a - or + parameter, as in WOM + or WOM -" without further editing. Neat, huh?
  • :ENDIT: Label that identifies this portion of the batch file.
  • echo.: Prints a blank line on the screen before returning to the prompt.

Step two: Create a backup of SYSTEM.DAT and USER.DAT
The rebuilding process effectively destroys the current registry. If the rebuild fails (I've seen it happen when the DAT files are badly corrupted), there will be no registry. Having a corrupted registry to restore is better than having no registry at all.
To make a backup, we simply copy the "unattribbed" SYSTEM.DAT and USER.DAT files with REGBACK.BAT:

@echo off
if "%1"=="" goto INSTRUCT
copy c:\windows\system.dat c:\windows\system.%1
copy c:\windows\user.dat c:\windows\user.%1
goto ENDIT
:INSTRUCT
echo.
echo You must enter a 1 to 3 character file extension, as in "%0 sav"
:ENDIT
echo.

Most of the lines in REGBACK.BAT are similar to those in REGATT.BAT. The three unique lines are:
  • if "%1"=="" goto INSTRUCT: This jumps to the INSTRUCT section if no parameter is given after the "regback" command. Without a parameter, the value of %1 is null, so the statement translates to if ""=="" goto INSTRUCT and, since double-quotes indeed equal double-quotes, the script jumps to give the user instructions.
  • copy c:\windows\system.dat c:\windows\system.%1: Copies SYSTEM.DAT to SYSTEM.parameter. Be sure to limit your parameter to three allowable DOS characters.
  • copy c:\windows\user.dat c:\windows\user.%1: Copies USER.DAT to USER.parameter as above.

Step three: Rebuilding the registry
DO NOT ATTEMPT TO RUN THESE COMMANDS UNLESS YOU HAVE MADE BACKUP COPIES OF SYSTEM.DAT AND USER.DAT! Remember, you will destroy the existing copy of the registry in the rebuilding stage. If the rebuild fails, so will you. Be sure you have your own backup.
REGREBLD.BAT looks like this:

@echo off
echo.
echo Exporting registry contents. Please wait...
regedit /l:c:\windows\system.dat /r:c:\windows\
user.dat /e c:\windows\newreg.reg

echo Rebuilding the Windows registry. Do not interrupt!
regedit /l:c:\windows\system.dat /r:c:\windows\
user.dat /c c:\windows\newreg.reg

echo.
del c:\windows\newreg.reg
echo.

REGREBLD.BAT takes no parameters. Here's what the crucial lines do:
  • echo Exporting registry contents. Please wait...: The REGEDIT "export" command displays no information while it's executing. This is a courtesy line to let you know that something is happening.
  • regedit /l:c:\windows\system.dat /r:c:\windows\user.dat /e c:\windows\newreg.reg: Exports the contents of the current registry to a file we'll call "newreg.reg." The "/l:" and "/r:" switches point to the exact paths of SYSTEM.DAT and USER.DAT, respectively. The "/e" switch is for "export" and "c:\windows\newreg.reg" is the name of the target file that is created during the process.
  • echo Rebuilding the Windows registry. Do not interrupt!: Another courtesy statement. Unlike the "export" command, the REGEDIT "create" command displays a progress counter. However, it doesn't state what it's creating, only that it’s importing.
  • regedit /l:c:\windows\system.dat /r:c:\windows\user.dat /c c:\windows\newreg.reg: Creates a new registry from the contents of "c:\windows\newreg.reg." The key here is the "/c" switch, for "create." As soon as it is encountered, the current SYSTEM.DAT and USER.DAT are destroyed as new files are created from the data in newreg.reg. If this process is interrupted, the new registry will be incomplete and, therefore, useless.
  • echo.: The progress counter that is displayed by REGEDIT does not have a carriage return. This statement forces one at the completion of the "create" process.
  • del c:\windows\newreg.reg: Deletes the now unnecessary newreg.reg data file. You can remove this line if you want to look at the contents of newreg.reg before you delete it manually.

The full export/create routine can be quite time-consuming, depending on the size and state of the current registry. I've seen it take anywhere from five minutes to over an hour to rebuild the registry on desktop PCs. I don't recommend using it on laptops. If the rebuilding is successful (and most of the time it is), you won't need the next step.

Step four: Restoring a failed rebuild
Step four involves returning the registry to its previous state in the event a failed rebuild leaves you without working SYSTEM.DAT and USER.DAT files. We'll call this batch file REGRET.BAT. Remember the extension you used when creating your backups? You'll need it here:

@echo off
if "%1"=="" goto INSTRUCT
if not exist c:\windows\system.%1 goto NOFILE
if not exist c:\windows\user.%1 goto NOFILE
attrib -r -h -s c:\windows\system.dat
attrib -r -h -s c:\windows\user.dat
del c:\windows\system.dat
del c:\windows\user.dat
copy c:\windows\system.%1 c:\windows\system.dat
copy c:\windows\user.%1 c:\windows\user.dat
goto ENDIT
:NOFILE
echo.
echo Cannot locate one or more of your "%1" backup files!
echo Please verify your file extension and try again.
goto ENDIT
:INSTRUCT
echo.
echo You must give a valid backup file extension, as in "%0 ext"
:ENDIT
echo.

REGRET.BAT runs by entering “regret ext” at the prompt, where “ext” is the extension you used when creating your backups. If the ext files aren’t found, REGRET tells you. All of the REGRET commands are similar to ones we've used in the previous batch files. Note that after we delete the failed SYSTEM.DAT and USER.DAT files, we copy the backups to the DATs as opposed to renaming the backups. I never feel comfortable deleting critical backup files until I'm absolutely sure they won't be needed again. Delete them manually when you are comfortable.

Use what you’ve learned
Now that you have your batch files, go ahead and try them on a sick system. Boot the PC to a true DOS "Safe mode command prompt only" and run the files from a floppy. If you make the floppy bootable, be sure that you have an AUTOEXEC.BAT that contains a path statement pointing to C:\WINDOWS;C:\WINDOWS\COMMAND. A successful rebuilding of the registry will solve many of your "mysterious" Windows problems, including many Windows protection errors.

DOS命令

1. gpedit.msc-----组策略
2. sndrec32-------录音机
3. Nslookup-------IP地址侦测器
4. explorer-------打开资源管理器
5. logoff---------注销命令
6. tsshutdn-------60秒倒计时关机命令
7. lusrmgr.msc----本机用户和组
8. services.msc---本地服务设置
9. oobe/msoobe /a----检查XP是否激活
10. notepad--------打开记事本
11. cleanmgr-------垃圾整理
12. net start messenger----开始信使服务
13. compmgmt.msc---计算机管理
14. net stop messenger-----停止信使服务
15. conf-----------启动netmeeting
16. dvdplay--------DVD播放器
17. charmap--------启动字符映射表
18. diskmgmt.msc---磁盘管理实用程序
19. calc-----------启动计算器
20. dfrg.msc-------磁盘碎片整理程序
21. chkdsk.exe-----Chkdsk磁盘检查
22. devmgmt.msc--- 设备管理器
23. regsvr32 /u *.dll----停止dll文件运行
24. drwtsn32------ 系统医生
25. rononce -p ----15秒关机
26. dxdiag---------检查DirectX信息
27. regedt32-------注册表编辑器
28. Msconfig.exe---系统配置实用程序
29. rsop.msc-------组策略结果集
30. mem.exe--------显示内存使用情况
31. regedit.exe----注册表
32. winchat--------XP自带局域网聊天
33. progman--------程序管理器
34. winmsd---------系统信息
35. perfmon.msc----计算机性能监测程序
36. winver---------检查Windows版本
37. sfc /scannow-----扫描错误并复原
38. taskmgr-----任务管理器(2000/xp/2003
39. winver---------检查Windows版本
40. wmimgmt.msc----打开windows管理体系结构(WMI)
41. wupdmgr--------windows更新程序
42. wscript--------windows脚本宿主设置
43. write----------写字板
44. winmsd---------系统信息
45. wiaacmgr-------扫描仪和照相机向导
46. winchat--------XP自带局域网聊天
47. mem.exe--------显示内存使用情况
48. Msconfig.exe---系统配置实用程序
49. mplayer2-------简易widnows media player
50. mspaint--------画图板
51. mstsc----------远程桌面连接
52. mplayer2-------媒体播放机
53. magnify--------放大镜实用程序
54. mmc------------打开控制台
55. mobsync--------同步命令
56. dxdiag---------检查DirectX信息
57. drwtsn32------ 系统医生
58. devmgmt.msc--- 设备管理器
59. dfrg.msc-------磁盘碎片整理程序
60. diskmgmt.msc---磁盘管理实用程序
61. dcomcnfg-------打开系统组件服务
62. ddeshare-------打开DDE共享设置
63. dvdplay--------DVD播放器
64. net stop messenger-----停止信使服务
65. net start messenger----开始信使服务
66. notepad--------打开记事本
67. nslookup-------网络管理的工具向导
68. ntbackup-------系统备份和还原
69. narrator-------屏幕“讲述人”
70. ntmsmgr.msc----移动存储管理器
71. ntmsoprq.msc---移动存储管理员操作请求
72. netstat -an----(TC)命令检查接口
73. syncapp--------创建一个公文包
74. sysedit--------系统配置编辑器
75. sigverif-------文件签名验证程序
76. sndrec32-------录音机
77. shrpubw--------创建共享文件夹
78. secpol.msc-----本地安全策略
79. syskey---------系统加密,一旦加密就不能解开,保护windows xp系统的双重密码
80. services.msc---本地服务设置
81. Sndvol32-------音量控制程序
82. sfc.exe--------系统文件检查器
83. sfc /scannow---windows文件保护
84. tsshutdn-------60秒倒计时关机命令
85. tourstart------xp简介(安装完成后出现的漫游xp程序)
86. taskmgr--------任务管理器
87. eventvwr-------事件查看器
88. eudcedit-------造字程序
89. explorer-------打开资源管理器
90. packager-------对象包装程序
91. perfmon.msc----计算机性能监测程序
92. progman--------程序管理器
93. regedit.exe----注册表
94. rsop.msc-------组策略结果集
95. regedt32-------注册表编辑器
96. rononce -p ----15秒关机
97. regsvr32 /u *.dll----停止dll文件运行
98. regsvr32 /u zipfldr.dll------取消ZIP支持
99. cmd.exe--------CMD命令提示符
100. chkdsk.exe-----Chkdsk磁盘检查
101. certmgr.msc----证书管理实用程序
102. calc-----------启动计算器
103. charmap--------启动字符映射表
104. cliconfg-------SQL SERVER 客户端网络实用程序
105. Clipbrd--------剪贴板查看器
106. conf-----------启动netmeeting
107. compmgmt.msc---计算机管理
108. cleanmgr-------垃圾整理
109. ciadv.msc------索引服务程序
110. osk------------打开屏幕键盘
111. odbcad32-------ODBC数据源管理器
112. oobe/msoobe /a----检查XP是否激活
113. lusrmgr.msc----本机用户和组
114. logoff---------注销命令
115. iexpress-------木马捆绑工具,系统自带
116. Nslookup-------IP地址侦测器
117. fsmgmt.msc-----共享文件夹管理器
118. utilman--------辅助工具管理器
119. gpedit.msc-----组策略

---------------------------------------------------------------------------------

DOS命令:
一)MD——建立子目录
1.功能:创建新的子目录
2.类型:内部命令
3.格式:MD[盘符:][路径名]〈子目录名〉
4.使用说明:
(1)“盘符”:指定要建立子目录的磁盘驱动器字母,若省略,则为当前驱动器;
(2)“路径名”:要建立的子目录的上级目录名,若缺省则建在当前目录下。

二)CD——改变当前目录
1.功能:显示当前目录
2.类型:内部命令
3.格式:CD[盘符:][路径名][子目录名]
4.使用说明:
(1)如果省略路径和子目录名则显示当前目录;
(2)如采用“CD、”格式,则退回到根目录;
(3)如采用“CD.。”格式则退回到上一级目录。

(三)RD——删除子目录命令
1.功能:从指定的磁盘删除了目录。
2.类型:内部命令
3.格式:RD[盘符:][路径名][子目录名]
4.使用说明:
(1)子目录在删除前必须是空的,也就是说需要先进入该子目录,使用DEL(删除文件的命令)将其子目录下的文件删空,然后再退回到上一级目录,用RD命令删除该了目录本身;
(2)不能删除根目录和当前目录。

四)DIR——显示磁盘目录命令
1.功能:显示磁盘目录的内容。
2.类型:内部命令
3.格式:DIR [盘符][路径][/P][/W]
4. 使用说明:/P的使用;当欲查看的目录太多,无法在一屏显示完屏幕会一直往上卷,不容易看清,加上/P参数后,屏幕上会分面一次显示23行的文件信息,然后暂停,并提示;Press any key to continue
/W的使用:加上/W只显示文件名,至于文件大小及建立的日期和时间则都省略。加上参数后,每行可以显示五个文件名。

五)FORMAT――磁盘格式化命令
1.功能:对磁盘进行格式化,划分磁道和扇区;同时检查出整个磁盘上有无带缺陷的磁道,对坏道加注标记;建立目录区和文件分配表,使磁盘作好接收DOS的准备。
2.类型:外部命令
3.格式:FORMAT〈盘符:〉[/S][/4][/Q]
4.使用说明:
(1)命令后的盘符不可缺省,若对硬盘进行格式化,则会如下列提示:
WARNING:ALL DATA ON NON ――REMOVABLE DISK
DRIVE C:WILL BE LOST !
Proceed with Format (Y/N)?
(警告:所有数据在C盘上,将会丢失,确实要继续格式化吗?)
(2)若是对软盘进行格式化,则会如下提示:
Insert mew diskette for drive A;
and press ENTER when ready…
(在A驱中插入新盘,准备好后按回车键)。
(3)选用[/S]参数,将把DOS系统文件IO.SYS 、MSDOS.SYS及COMMAND.COM复制到磁盘上,使该磁盘可以做为DOS启动盘。若不选用/S参数,则格式化后的磙盘只能读写信息,而不能做为启动盘;
(4)选用[/4]参数,在1.2MB的高密度软驱中格式化360KB的低密度盘;
(5)选用[/Q]参数,快速格式化,这个参数并不会重新划分磁盘的磁道貌岸然和扇区,只能将磁盘根目录、文件分配表以及引导扇区清成空白,因此,格式化的速度较快。
(6)选用[/U]参数,表示无条件格式化,即破坏原来磁盘上所有数据。不加/U,则为安全格式化,这时先建立一个镜象文件保存原来的FAT表和根目录,必要时可用UNFORRMAT恢复原来的数据。

六)SYS――系统复制命令
1.功能:将当前驱动器上的DOS系统文件IO.SYS,MSDOS.SYS和COMMAND.COM 传送到指定的驱动器上。
2.类型:外部命令
3.格式:SYS[盘符:]
*使用说明:如果磁盘剩余空间不足以存放系统文件,则提示:No roomfor on destination disk.

七) COPY文件复制命令
1.功能:拷贝一个或多个文件到指定盘上。
2.类型:内部命令
3.格式:COPY [源盘][路径]〈源文件名〉[目标盘][路径][目标文件名]
4.使用说明:
(1)COPY是文件对文件的方式复制数据,复制前目标盘必须已经格式化;
(2)复制过程中,目标盘上相同文件名称的旧文件会被源文件取代;
(3)复制文件时,必须先确定目标般有足够的空间,否则会出现;insufficient的错误信息,提示磁盘空间不够;
(4)文件名中允许使用通配举“*”“?”,可同时复制多个文件;
(5)COPY命令中源文件名必须指出,不可以省略。
(6)复制时,目标文件名可以与源文件名相同,称作“同名拷贝”此时目标文件名可以省略;
(7)复制时,目标文件名也可以与源文件名不相同,称作“异名拷贝”,此时,目标文件名不能省略;
(8)复制时,还可以将几个文件合并为一个文件,称为“合并拷贝”,格式如下:COPY;[源盘][路径]〈源文件名1〉〈源文件名2〉…[目标盘][路径]〈目标文件名〉;
(9)利用COPY命令,还可以从键盘上输入数据建立文件,格式如下:COPY CON [盘符:][路径]〈文件名〉;
(10)注意:COPY命令的使用格式,源文件名与目标文件名之间必须有空格!

八) REN――文件改名命令
1.功能:更改文件名称
2.类型:内部命令
3.格式:REN[盘符:][路径]〈旧文件名〉〈新文件名〉
4.使用说明:
(1)新文件名前不可以加上盘符和路径,因为该命令只能对同一盘上的文件更换文件名;
(2)允许使用通配符更改一组文件名或扩展名。

九)ATTRIB——修改文件属性命令
1.功能:修改指定文件的属性。(文件属性参见2.5.4(二)文件属性一节)
2.类型:外部命令。
3.格式:ATTRIB[文件名][R][——R][A][——A][H][——H][S][——S][/S]
4.使用说明:
(1)选用R参数,将指定文件设为只读属性,使得该文件只能读取,无法写入数据或删除;选用——R参数,去除只读属性;
(2)选用A参数,将文件设置为档案属性;选用——A参数,去除档案属性;
(3)选用H参数,将文件调协为隐含属性;选用——H参数,去隐含属性;
(4)选用S参数,将文件设置为系统属性;选用——S参数,去除系统属性;
(5)选用/S参数,对当前目录下的所有子目录及作设置。

十) DEL——删除文件命令
1.功能:删除指定的文件。
2.类型:内部命令
3.格式:DEL[盘符:][路径]〈文件名〉[/P]
4.使用说明:
(1)选用/P参数,系统在删除前询问是否真要删除该文件,若不使用这个参数,则自动删除;
(2)该命令不能删除属性为隐含或只读的文件;
(3)在文件名称中可以使用通配符;
(4)若要删除磁盘上的所有文件(DEL*·*或DEL·),则会提示:(Arey ou sure?)(你确定吗?)若回答Y,则进行删除,回答N,则取消此次删除作业。

MS-DOS下的注册表

 注册表编辑器不仅可以在Windows下运行使用,还可以在MS-DOS命令行模式下运行。注意,这里说的“MS-DOS”指的是纯MS-DOS,不是在Windows下运行的仿真MS-DOS模式,你可以在启动时按F8键,在出现的启动菜单中选择“Command prompt only”模式,或者在Windows下从“开始”菜单中选择“关闭系统”,然后选择“重新启动计算机并切换到MS-DOS方式”即可进入纯MS- DOS。
  
  MS-DOS下注册表编辑器虽然没有Windows下那样强大,但也有它的独到之处。比如当系统出现问题无法启动 Windows的时候,它的作用就体现出来了。首先说明一下,注册表的实际物理文件为System.dat和User.dat,也就说注册表中的数据保存在这两个文件中。明白了这一点之后,下面让我们来看看MS-DOS下的注册表编辑器到底有哪些作用。
  
  
  1、导出注册表文件
  
  此功能可以用来对注册表文件做个备份。
  
  
  命令格式:
  
  Regedit /L:system /R:user /E filename.reg Regpath
  
  
  参数详解:
  
  /L:system指定system.dat文件所在的路径。
  
  /R:user指定user.dat文件所在的路径。
  
  /E:此参数指定注册表编辑器要进行导出注册表操作,在此参数后面空一格,输入导出注册表的文件名。
  
  
  Regpath指定要导出哪个注册表的分支,如果不指定,则将导出全部注册表分支。
  
  
  注意事项:
  
  /L:system和/R:user参数为可选项,如果缺省,那么注册表编辑器认为是对Windows目录下的system.dat和User.dat 进行操作。但是如果你从软盘开始启动,那么必须使用/L和/R参数来指定System.dat和User.dat文件的具体路径,否则注册表编辑器将无法找到它们。
  
  
  举例说明:
  
  如果将保存在C:\Windows\System.dat和保存在
  
  C:\Windows\Profiles\User.dat中所有HKEY_CLASSER_ROOT根键下的分支导出到file.reg中,命令如下:
  
  
  Regedit /L:C:\Windows\ /R:C\Windows\Profiles\ /e file1.reg HKEY_CLASSER_ROOT
  
  
  大多数情况,我们只是需要导出默认目录下的所有注册表项目,命令格式:Regedit /e Allfile.reg
  
  
  2、导入注册表文件
  
  将指定的注册表文件导入注册表中,并新建或覆盖这些导入的子键分支、键值项和键值。
  
  
  命令格式:
  
  Regedit /L:system /R:user file.reg
  
  
  参数详解:
  
  /L:system指定system.dat文件所在的路径。
  
  /R:user指定user.dat文件所在的路径。
  
  
  注意事项:
  
  导入注册表和导出注册表在参数上有所不同,它仅仅需要指定被导入的.reg文件的路径即可,而不需要像“/E”、“/C”这样的参数。
  
  
  举例说明:
  
  如果将上一个例子中导出的file1.reg中的内容导入到C:\Windows\System.dat和C:\Windows\Profiles\ User.dat中,命令如下:Regedit /L:C:\Windows\ /R:C:\Windows\Profile\ file1.reg
  
  
  3、重建注册表
  
  可以用指定的.reg文件中的内容,重新建立整个注册表,即重新建立System.dat和User.dat文件。
  
  命令格式:
  
  Regedit /L:system /R:user /C file.reg
  
  
参数详解:
  
  /L:system指定system.dat文件所在的路径。
  
  /R:user指定user.dat文件所在的路径。
  
  /C:此参数将告诉注册表编辑器,用所指定的.reg文件中的内容重新建立注册表。
  
  
  注意事项:
  
  参数/C是个危险选项,它将会导入指定注册表文件的全部内容,从头到尾开始创建一个新的注册表。
  
  
  举例说明:
  
  如果我们要用file1.reg文件中的内容重新建立整个注册表,并将其保存到C:\Windows\System.dat和C:\Windows\Profiles\User.dat中,命令如下:
  
  Regedit /L:C:\Windows\ /R:C:\Windows\Profiles\ /C file1.reg
  
  
  4、删除注册表分支
  
  此命令可以将注册表中的一个子键分支删除。
  
  
  命令格式:
  
  Regedit /L:system /R:user /D REGPATH
  
  
  参数详解:
  
  /L:system指定system.dat文件所在的路径。
  
  /R:user指定user.dat文件所在的路径。
  
  /C:此参数告诉注册表编辑器,将REGPATH所指定的注册表子键分支删除。
  
  
  注意事项:
  
  参数/C将删除指定子键下所包含的所有内容,包括所有子键、键值项和键值。
  
  
  举例说明:
  
  如果我们要将注册表中的HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrenVersion\ Run分支删除,命令如下:Regedit /L:C:\Windows\ /R:C:\Windows\Profiles\ /D HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrenVersion\Run
  
  
  5、注册表检查器
  
  MS_DOS下的注册表检查器Scanreg.exe可以用来备份及恢复注册表。
  
  
  命令格式:
  
  Scanreg /backup /restore /comment /fix
  
  
  参数详解:
  
  /backup用来立即备份注册表
  
  /restore按照备份的时间以及日期显示所有的备份文件
  
  /comment在/restore中显示同备份文件有关的部分
  
  /fix修复注册表文件的错误
  
  
  注意事项:
  
  在显示备份的注册表文件时,压缩备份的文件以.CAB文件列出,CAB文件的后面单词是Started或者是NotStarted,Started表示这个文件能够成功启动Windows,是一个完好的备份文件,NotStarted表示文件没有被用来启动Windows,所以不知道是否是一个完好备份。
  
  
  举例说明:
  
  如果我们要查看所有的备份文件及同备份有关的部分,命令如下:Scanreg /restore /comment
  
  
  如果注册表有问题,也可以用Scanreg来修复,命令如下:Scanreg /fix。

Sunday, December 2, 2007

ntdelect.com即WORM_NSPM.JS病毒清除方法!

病毒名称 WORM_NSPM.JS

风险级别 一般

病毒简述 此蠕虫可能是在用户访问恶意网站时被暗中下载的。

它会释放文件/组件,其中的一些被趋势科技防毒产品检测为TROJ_NSPM.VY。由此,被释放的文件的行踪也就在受感染系统中被发现。

它使用其所释放的.sys文件作为其Rootkit组件以隐藏其文件和进程。

它通过在所有物理、移动设备和共享文件夹中释放它自己的拷贝以及一个Autorun.INF文件来进行传播。当上述驱动器被访问,被释放的文件会自动执行。

它也会访问WEB网站下载其自身的拷贝。

受其影响的系统包括:Windows NT, 2000, XP, Server 2003

病毒清除方法 识别恶意文件

1. 使用趋势科技反病毒产品扫描您的计算机。

2. 注意所有被检测为WORM_NSPM.JS的文件的路径和文件名。

趋势科技的用户请在扫描计算机前下载最新的病毒特征码。其他的互联网用户可以使用Housecall,这是趋势科技的免费在线病毒扫描。

使用恢复控制台删除恶意文件

用于Windows NT, 2000, XP, Server 2003系统

以下流程允许通过Windows安装盘重启计算机。

1. 将您的Windows安装盘插入光驱中。

2. 按下您计算机的重启按钮。

3. 重启后,按下任意键以从光盘启动

4. 主菜单出现后,输入r以启动恢复控制台。

(注意:对Windows2000,在输入r后,按下c以便在修复选项界面中选择恢复控制台)

5. 启动后,输入您的管理员密码以便登陆。

6. 进入控制台后,在出现的命令行中输入您安装Windows的盘符,然后敲击回车。

7. 输入Windows安装所在的盘符,敲击回车。

8. 输入以下命令并敲击回车:

del %System%\wincab.sys

(注意:%System%是Windows系统目录,在Windows 98和ME上通常是C:\Windows\System,在Windows NT和2000上通常是C:\WINNT\System32,在Windows XP, Server 2003上通常是C:\Windows\System32)

9. 对以下文件重复以上流程。

del %System%\kavo.exe

10. 对前面检测到的所有文件重复以上流程。

11. 输入exit以便重启系统。

删除注册表中的自启动项目

此解决方案删除/修改被恶意程序添加/修改的注册表键值。在采取以下步骤前,请确定您知道如何备份注册表,以及当有问题发生时如何恢复注册表。请参考此微软文档了解如何修改注册表。

1. 打开注册表编辑器。点击开始>运行,输入REGEDIT,按Enter

2. 在左边的面板中,双击HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run

3. 在右边的面板中,找到并删除项目数据值

kava = "%System%\kavo.exe"

4. 在左边的面板中,双击HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services

5. 还是在左边的面板中,找到并删除项目数据值

ghtrfdcxdswea

6. 关闭注册表编辑器

恢复注册表键值

此解决方案恢复被恶意程序添加/修改的注册表键值。在采取以下步骤前,请确定您知道如何备份注册表,以及当有问题发生时如何恢复注册表。请参考此微软文档了解如何修改注册表。

1. 在注册表编辑器的左边面板中,双击HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft> Windows>CurrentVersion>Explorer>Advanced>Folder>Hidden>SHOWALL

2. 在右边面板中,找到

CheckedValue = "0"

3. 右击它并选择修改,将其值改为

1

4. 关闭注册表编辑器

删除恶意Autorun.INF/s

1. 右键点击“开始”然后点击“搜索…”或“寻找…”,取决于您所运行的系统。

2. 在Name输入框中输入:

AUTORUN.INF

3. 在Look In下拉菜单中,选择一个磁盘,然后按下回车。

4. 选择此文件,用Notepad打开。

5. 检查文件中是否有以下内容:

open=ntdelect.com

;shell\open=Open(&O)

shell\open\Command=ntdelect.com

shell\open\Default=1

;shell\explore=Manager(&X)

shell\explore\Command=ntdelect.com

6. 如果存在以上内容,删除此文件。

7. 对其他磁盘中的AUTORUN.INF重复3-6步。

8. 关闭搜索结果窗口。

重要Windows ME/XP清除说明

运行Windows ME和XP的用户必须禁用系统还原,从而可以对受感染的系统进行全面扫描。

运行其他Windows版本的用户可以不需要处理上面的附加说明。

Sunday, November 25, 2007

AV的末日——手工杀毒,终结AV终结者

AV最近闹的很凶,中的人恐怕也不少,很多人谈AV色变,其实要彻底剿灭这种病毒并不困难,下面,我们就一步步将AV终结者送上死亡之路。

一、AV终结者之症状

如果你的电脑出现如下症状:

1、安全类软件无法运行; 2、安全类网页无法打开; 3、硬盘盘符无法打开; 4、任务管理器无法运行; 5、安全模式无法进入;
…………
那么,首先我对你的不幸遭遇表示同情,这已经基本上可以说明,你中了AV终结者。

二、AV终结者之原理

AV终结者不是指某个病毒,而是指一类具有相同特征的病毒,它们的病毒名可能多种多样,但是它们所表现出来的症状都是差不多的,而且其原理也基本相同。可以这么说,AV终结者实际上是一类病毒的总称。

其基本原理就是劫持系统IFEO镜像。
所谓的映像劫持(IFEO)就是Image File Execution Options,位于注册表的
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
由于这个项主要是用来调试程序用的,对一般用户意义不大。默认是只有管理员和local system有权读写修改。
通俗一点来说,就是比如我想运行QQ.exe,结果运行的却是FlashGet.exe,也就是说在这种情况下,QQ程序被FLASHGET给劫持了,即你想运行的程序被另外一个程序代替了。
映像劫持病毒主要通过修改注册表中的HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution options 项来劫持正常的程序,比如有一个病毒 vires.exe 要劫持 qq 程序,它会在上面注册表的位置新建一个qq.exe项,再这个项下面新建一个字符串的键值 debugger 内容是:C:\WINDOWS\SYSTEM32\VIRES.EXE(这里是病毒藏身的目录)即可。当然如果你把该字符串值改为任意的其他值的话,系统 就会提示找不到该文件。
既然了解了这类病毒的工作原理,那么,要剿灭它们就变得非常容易。

三、AV终结者之查杀


第一步:GHOST杀毒
如果你做了GHOST备份,那么杀毒相对变得很容易,恢复你的备份,进入系统后什么都不要做,从开始菜单运行WINRAR,浏览所有盘符根目录,删除AUTORUN.INF文件,删除其他所有可疑文件,杀毒即告成功。
或者恢复后进入PE,在PE中运行WINRAR进行上述步骤。现在我还不知道AV是否能够感染PE,所以用WINRAR浏览盘符比较安全。
切记,恢复系统后不可打开任何盘符,更不可双击任何盘符,否则前功尽弃。
病毒也有可能破坏GHO备份文件,若备份遭到破坏,那么我们只有寻求其他的方法来杀毒了。
第二步:专杀杀毒
下载金山出品的AV终结者专杀工具进行查杀,大家可以自己百度搜索一下“AV终结者专杀”或去金山的主页直接下载。下载后直接运行扫描,若此时能够解决问题,那当然万事大吉,若还是不能解决,那只有用更复杂一点的方法了。
第三步:手工查杀
准备工具:
Autoruns8.61
下载地址:
http://yutian8888.ylmf.net/??47
IceSword1.20 SREng2 USBCleaner6.0(这个下载了后先升级) Wsyscheck0624 强力文件删除工具
下载地址:
http://yutian8888.ylmf.net/??65

查杀步骤:
1、用WINRAR浏览磁盘根目录,打开AUTORUN.INF文件,查看其关联的DLL文件,(这些DLL病毒名都是随机的,不同的病毒文件名肯定不一样,我上面也说了,AV是一类病毒的总称,我这里只是给出查杀的原理),记下这些DLL的名字。
2、运行WSYSCHECK(或者运行冰刃,这两个功能差不多,我习惯WSYSCHECK,这里就以它为例),如果系统提示不能运行,就将其改个名字,例如改为ABC.EXE或者ABC.COM,因为病毒可能劫持了WSYSCHECK的镜像,所以不改名可能无法运行。
查看红色与紫色进程所调用的模块,紫色的,如果其中有上述AUTORUN.INF文件关联的DLL,则直接删除这些DLL模块。对于红色的典型病毒进程(可疑的,你不认识的)都直接结束掉,如果是你确定的病毒进程,则可选择结束进程并删除文件。









服务管理功能:可疑显示所有隐藏的服务,在系统服务列表中看不到的,这里都可以看到,可以轻而易举的删除病毒加载的服务



文件管理功能:可以显示所有隐藏的文件和文件夹,对于用WINRAR无法删除的顽固病毒文件,可以直接在这里删除。
注册表管理功能:病毒可能会禁用系统注册表,使REGEDIT.EXE无法运行,那么可以用WSYSCHECK来打开注册表,搜索下面这几项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
大部分的病毒和木马都是通过加载系统启动项来运行的,也有一些是注册成为系统服务来启动,他们主要通过修改注册表来实现这个目的。
将上述几项找到,删除可疑的键值,一般来说,这里的键值和病毒DLL模块、驱动服务文件以及进程名是相关的,因此很容易发现不正常的注册表键值。

3.将autoruns也改名,然后再运行,选择映像劫持项目,删除除Your Image File Name Here without a path之外的所有项目!

或者用WSYSCHECK的注册表管理定位到HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options,删除Your Image File Name Here without a path之外的所有项目!

4、运行SRENG,修复EXE文件关联,修复安全模式。
5、运行USBCleaner6.0,修复显示隐藏文件和系统文件(这个工具也可疑修复安全模式)。

6、重启进入安全模式,运行USBCleaner6.0全盘查杀。运行你的杀软进行全盘查杀。

7、重启进入WINDOWS,再次检查
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
这几项,删除可疑键值。
运行MSCONFIG,删除可疑的自启动项

8、至此,AV终结者已经被赶尽杀绝。
第四步:AV终结者之预防
如果通过将病毒程序重定向进行免疫,完全只能针对已知病毒,对未知的AV变种毫无还手之力。
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\sppoolsv.exe]
"Debugger"="123.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\logo_1.exe]
"Debugger"="123.exe"
上面的代码是以金猪报喜病毒和威金病毒为例,这样即使这些病毒在系统启动项里面,即使随系统运行了,但是由于映象劫持的重定向作用,还是会被系统提示无法找到病毒文件(这里是logo_1.exe和sppoolsv.exe)。是不是很过瘾啊,想不到病毒也有今天!
我们无法真正免疫AV终结者,但完全可疑避免IFEO镜像劫持,方法如下:
如果用户无权访问该注册表项了,它也就无法修改这些东西了。打开注册表编辑器,进入HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows NT\CurrentVersion\Image File Execution Options ,选中该项,右键——>权限——>高级,取消所有用户的写入权限。这样,AV便无法劫持EXE,即使你不幸中了AV,也依然可以运行安全类软 件来进行杀毒。
还可以利用卡巴的主动防御来阻止IFEO镜像劫持

添加键:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
添加值:
Debugger
通过设置系统服务来保护卡巴的进程
控制面板——管理工具——服务
找到卡巴的服务,右键属性 ,如图设置
设置前先取消卡巴的自我保护,设置完后再将自我保护打开

至此,这篇教程也写完了。如果你确实太菜,还是不会杀毒,那么,利用SRENG的智能扫描功能,将扫描日志发布到各大安全论坛或者互联网上,请求高手相助吧。如果你的电脑没有什么重要的资料,那么简单了,重新分区重装系统。

Email-Worm.Win32.NetSky.r分析

一、病毒标签:
病毒名称: Email-Worm.Win32.NetSky.r
病毒类型:蠕虫类
文件 MD5:04871D17DBBD1911AFC76AAD6D9DBD20
公开范围: 完全公开
危害等级: 4
文件长度: 28,008 字节
感染系统: Windows98以上版本
加壳类型: PEtite 2.2

二、病毒描述:

该病毒为邮件蠕虫,病毒运行后复制自身到系统目录,衍生病毒文件。 修改注册表,添加启动项,以达到随机启动的目的。该病毒会自动搜索用户计算机上电子邮件地址,病毒以附件的形式随邮件发出;其他用户打开这些邮件的附件,就会被病毒感染。

三、行为分析:

本地行为:

1、 文件运行后会衍生以下文件
%WinDir%\base64.tmp 大小: 38,382字节
%WinDir%\firewalllogger.txt 大小: 23,040字节
%WinDir%\sysmonxp.exe 大小: 28,008字节
%WinDir%\zipo0.txt 大小: 38,834字节
%WinDir%\zipo1.txt 大小: 38,822字节
%WinDir%\zipo2.txt 大小: 38,826字节
%WinDir%\zipo3.txt 大小: 38,826字节
%WinDir%\zippedbase64.tmp 大小: 28,330字节

2、 新建注册表
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\run]
注册表值:" SysMonXP "
类型: REG_SZ
值: " C:\WINDOWS\SysMonXP.exe "
描述:添加启动项,以达到随机启动的目的

4、 删除注册表键值
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
注册表值: "@"
类型: REG_SZ
字符串: "%SystemRoot%\system32\webcheck.dll "
描述:删除对网站进行监视的COM接口DLL文件

5、该病毒会自动搜索用户计算机上多种格式的文件,从中提取电子邮件地址,并向这些地址发送病毒邮件。其他用户打开这些邮件的附件,就会被病毒感染。

6、该病毒大量发送垃圾邮件会造成用户计算机速度减慢,网络带宽被严重占用,甚至会造成一些局域网络崩溃。

注释:
%Windir% WINDODWS所在目录
%DriveLetter% 逻辑驱动器根目录
%ProgramFiles% 系统程序默认安装目录
%HomeDrive% 当前启动系统所在分区
%Documents and Settings% 当前用户文档根目录
%Temp% 当前用户TEMP缓存变量;路径为:
%Documents and Settings%\当前用户\Local Settings\Temp
%System32% 是一个可变路径;
病毒通过查询操作系统来决定当前System32文件夹的位置;
Windows2000/NT中默认的安装路径是 C:\Winnt\System32;
Windows95/98/Me中默认的安装路径是 C:\Windows\System;
WindowsXP中默认的安装路径是 C:\Windows\System32。


四、 清除方案:
1、使用安天木马防线可彻底清除此病毒(推荐),请到安天网站下载:www.antiy.com 。
2、手工清除请按照行为分析删除对应文件,恢复相关系统设置。推荐使用ATool(安天安全管理工具),ATool下载地址: www.antiy.com或http://www.antiy.com/download/index.htm 。
(1) 使用安天木马防线或ATool中的“进程管理”关闭病毒进程

(2) 强行删除病毒文件
%WinDir%\base64.tmp 大小: 38,382字节
%WinDir%\firewalllogger.txt 大小: 23,040字节
%WinDir%\sysmonxp.exe 大小: 28,008字节
%WinDir%\zipo0.txt 大小: 38,834字节
%WinDir%\zipo1.txt 大小: 38,822字节
%WinDir%\zipo2.txt 大小: 38,826字节
%WinDir%\zipo3.txt 大小: 38,826字节
%WinDir%\zippedbase64.tmp 大小: 28,330字节

(3)删除病毒添加的注册表项
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\run]
注册表值:" SysMonXP "
类型: REG_SZ
值: " C:\WINDOWS\SysMonXP.exe "
描述:添加启动项,以达到随机启动的目的

(4)恢复病毒修改的注册表项目
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
注册表值: "@"
类型: REG_SZ
字符串: "%SystemRoot%\system32\webcheck.dll"
描述:删除对网站进行监视的COM接口DLL文件

(5拷贝一个同操作系统版本的webcheck.dll到%SystemRoot%\system32目录下

Tuesday, November 20, 2007

Use Regedit change IE Home Page

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main








HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main







HKEY_USERS\S-1-5-21-3017043539-371357407-3115851261-1008\Software\Microsoft\Internet Explorer\Main







===============================================================
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.ite.edu.sg/ite/index_op.html"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="http://www.ite.edu.sg/ite/index_op.html"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.ite.edu.sg/ite/index_op.html"

===============================================================

AVG Internet Security 2013

Total Pageviews

Contributors